Support » Plugin: Register Plus Redux » stored_user_password not being deleted after verification

  • Resolved Jeff Lambert



    In working with your plugin I came across a non-fatal issue.

    In the rpr_login_form_verifyemail function in the rpr-login.php file you have this condition:

    if ( empty( $user_password ) ) {

    You should probably add an “else” case with the following:

    delete_user_meta( $user_id, ‘stored_user_password’ );

    Otherwise the stored_user_password is left in the usermeta table.

    You may want to consider encrypting the value with a 2-way encryption routine just so a password isn’t in there as plain text.

    I also noticed, in the same function, that you are outputting text with sprintf with the %s being set to $user_login. However, you haven’t set this variable anywhere in the function. Though I know you know this, the following should do the trick:

    $userinfo = get_userdata($user_id);
    $user_login = $userinfo->user_login;

    Or using first + last… if available…

    Thanks for a great plugin. I did end up pulling out the rpr_login_form_verifyemail function as my client wants all login related activity handled from within a custom page template and not through wp-login.php.


Viewing 2 replies - 1 through 2 (of 2 total)
  • +1

    Agree, the passwords should never be stored in plain text, even more sent in emails.

    Apart from that, great plugin!

    Plugin Author radiok


    Hey Jeff, I appreciate the feedback, fortunately I actually resolved both of those issues since the release of 3.9.8 during some other work. Considering the time lapse since I last worked on Redux… I’m not sure when, but regardless these issues have been resolved for 3.9.9 which is forthcoming.

    Either way I really appreciate this type of information, more often then not I get those, it’s broken messages wherein I have to go through 7 levels of hell to recreate the problem! I’m sure you know what I mean!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘stored_user_password not being deleted after verification’ is closed to new replies.